<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>Volatility取证分析工具 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/34.5a911179.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>CTF</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/ctf/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/ctf/ctf.html" title="什么是CTF？" class="sidebar-link">什么是CTF？</a></li><li><a href="/knowledge/ctf/xxe.html" title="XXE" class="sidebar-link">XXE</a></li><li><a href="/knowledge/ctf/ssrf-gopher.html" title="ssrf gopher协议" class="sidebar-link">ssrf gopher协议</a></li><li><a href="/knowledge/ctf/exec.html" title="命令执行" class="sidebar-link">命令执行</a></li><li><a href="/knowledge/ctf/PRF.html" title="伪随机数" class="sidebar-link">伪随机数</a></li><li><a href="/knowledge/ctf/php-serialize.html" title="PHP反序列化" class="sidebar-link">PHP反序列化</a></li><li><a href="/knowledge/ctf/uploadfile.html" title="文件上传" class="sidebar-link">文件上传</a></li><li><a href="/knowledge/ctf/deserialize-byte-escape.html" title="反序列化字节逃逸" class="sidebar-link">反序列化字节逃逸</a></li><li><a href="/knowledge/ctf/bypass-disable-function.html" title="bypass-disable-function" class="sidebar-link">bypass-disable-function</a></li><li><a href="/knowledge/ctf/JWT.html" title="JWT" class="sidebar-link">JWT</a></li><li><a href="/knowledge/ctf/js-prototype-chain-pollution.html" title="nodejs原型链污染" class="sidebar-link">nodejs原型链污染</a></li><li><a href="/knowledge/ctf/SSTI.html" title="SSTI" class="sidebar-link">SSTI</a></li><li><a href="/knowledge/ctf/CBC.html" title="CBC" class="sidebar-link">CBC</a></li><li><a href="/knowledge/ctf/Hash-Leng-Extension.html" title="哈希长度拓展攻击" class="sidebar-link">哈希长度拓展攻击</a></li><li><a href="/knowledge/ctf/RSA.html" title="RSA" class="sidebar-link">RSA</a></li><li><a href="/knowledge/ctf/Volatility.html" aria-current="page" title="Volatility取证分析工具" class="active sidebar-link">Volatility取证分析工具</a></li><li><a href="/knowledge/ctf/ret2text.html" title="ret2text" class="sidebar-link">ret2text</a></li><li><a href="/knowledge/ctf/ret2shellcode.html" title="ret2shellcode" class="sidebar-link">ret2shellcode</a></li><li><a href="/knowledge/ctf/ret2syscall.html" title="ret2syscall" class="sidebar-link">ret2syscall</a></li><li><a href="/knowledge/ctf/re2libc.html" title="ret2libc" class="sidebar-link">ret2libc</a></li><li><a href="/knowledge/ctf/ret2csu.html" title="ret2csu" class="sidebar-link">ret2csu</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Web安全</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h1 id="volatility取证分析工具">Volatility取证分析工具 <a href="#volatility取证分析工具" class="header-anchor">#</a></h1> <h2 id="关于工具">关于工具 <a href="#关于工具" class="header-anchor">#</a></h2> <h3 id="简单描述">简单描述 <a href="#简单描述" class="header-anchor">#</a></h3> <p>Volatility是一款开源内存取证框架，能够对导出的内存镜像进行分析，通过获取内核数据结构，使用插件获取内存的详细情况以及系统的运行状态。</p> <p>特点：</p> <ul><li>开源：Python编写，易于和基于python的主机防御框架集成。</li> <li>支持多平台：Windows，Mac，Linux全支持</li> <li>易于扩展：通过插件来扩展Volatility的分析能力</li></ul> <h3 id="项目地址">项目地址 <a href="#项目地址" class="header-anchor">#</a></h3> <p>https://github.com/volatilityfoundation/volatility</p> <h3 id="kali安装">Kali安装 <a href="#kali安装" class="header-anchor">#</a></h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>sudo apt-get install volatility
volatility -h
# 部分报错可能kali版本过低
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><h3 id="流程图">流程图 <a href="#流程图" class="header-anchor">#</a></h3> <p><img src="http://peiqi.tech/wgpsec-ctf/ctfwiki/wgp-misc-1-1.png" alt=""></p> <h3 id="常用模块">常用模块 <a href="#常用模块" class="header-anchor">#</a></h3> <table><thead><tr><th><strong>插件名称</strong></th> <th><strong>功能</strong></th></tr></thead> <tbody><tr><td>amcache</td> <td>查看AmCache应用程序痕迹信息</td></tr> <tr><td>apihooks</td> <td>检测内核及进程的内存空间中的API hook</td></tr> <tr><td>atoms</td> <td>列出会话及窗口站atom表</td></tr> <tr><td>atomscan</td> <td>Atom表的池扫描(Pool scanner)</td></tr> <tr><td>auditpol</td> <td>列出注册表HKLMSECURITYPolicyPolAdtEv的审计策略信息</td></tr> <tr><td>bigpools</td> <td>使用BigPagePoolScanner转储大分页池(big page pools)</td></tr> <tr><td>bioskbd</td> <td>从实时模式内存中读取键盘缓冲数据(早期电脑可以读取出BIOS开机密码)</td></tr> <tr><td>cachedump</td> <td>获取内存中缓存的域帐号的密码哈希</td></tr> <tr><td>callbacks</td> <td>打印全系统通知例程</td></tr> <tr><td>clipboard</td> <td>提取Windows剪贴板中的内容</td></tr> <tr><td>cmdline</td> <td>显示进程命令行参数</td></tr> <tr><td>cmdscan</td> <td>提取执行的命令行历史记录（扫描_COMMAND_HISTORY信息）</td></tr> <tr><td>connections</td> <td>打印系统打开的网络连接(仅支持Windows XP 和2003)</td></tr> <tr><td>connscan</td> <td>打印TCP连接信息</td></tr> <tr><td>consoles</td> <td>提取执行的命令行历史记录（扫描_CONSOLE_INFORMATION信息）</td></tr> <tr><td>crashinfo</td> <td>提取崩溃转储信息</td></tr> <tr><td>deskscan</td> <td>tagDESKTOP池扫描(Poolscaner)</td></tr> <tr><td>devicetree</td> <td>显示设备树信息</td></tr> <tr><td>dlldump</td> <td>从进程地址空间转储动态链接库</td></tr> <tr><td>dlllist</td> <td>打印每个进程加载的动态链接库列表</td></tr> <tr><td>driverirp</td> <td>IRP hook驱动检测</td></tr> <tr><td>drivermodule</td> <td>关联驱动对象至内核模块</td></tr> <tr><td>driverscan</td> <td>驱动对象池扫描</td></tr> <tr><td>dumpcerts</td> <td>提取RAS私钥及SSL公钥</td></tr> <tr><td>dumpfiles</td> <td>提取内存中映射或缓存的文件</td></tr> <tr><td>dumpregistry</td> <td>转储内存中注册表信息至磁盘</td></tr> <tr><td>editbox</td> <td>查看Edit编辑控件信息 (Listbox正在实验中)</td></tr> <tr><td>envars</td> <td>显示进程的环境变量</td></tr> <tr><td>eventhooks</td> <td>打印Windows事件hook详细信息</td></tr> <tr><td>evtlogs</td> <td>提取Windows事件日志（仅支持XP/2003)</td></tr> <tr><td>filescan</td> <td>提取文件对象（file objects）池信息</td></tr> <tr><td>gahti</td> <td>转储用户句柄（handle）类型信息</td></tr> <tr><td>gditimers</td> <td>打印已安装的GDI计时器(timers)及回调(callbacks)</td></tr> <tr><td>gdt</td> <td>显示全局描述符表(Global Deor Table)</td></tr> <tr><td>getservicesids</td> <td>获取注册表中的服务名称并返回SID信息</td></tr> <tr><td>getsids</td> <td>打印每个进程的SID信息</td></tr> <tr><td>handles</td> <td>打印每个进程打开的句柄的列表</td></tr> <tr><td>hashdump</td> <td>转储内存中的Windows帐户密码哈希(LM/NTLM)</td></tr> <tr><td>hibinfo</td> <td>转储休眠文件信息</td></tr> <tr><td>hivedump</td> <td>打印注册表配置单元信息</td></tr> <tr><td>hivelist</td> <td>打印注册表配置单元列表</td></tr> <tr><td>hivescan</td> <td>注册表配置单元池扫描</td></tr> <tr><td>hpakextract</td> <td>从HPAK文件（Fast Dump格式）提取物理内存数据</td></tr> <tr><td>hpakinfo</td> <td>查看HPAK文件属性及相关信息</td></tr> <tr><td>idt</td> <td>显示中断描述符表(Interrupt Deor Table)</td></tr> <tr><td>iehistory</td> <td>重建IE缓存及访问历史记录</td></tr> <tr><td>imagecopy</td> <td>将物理地址空间导出原生DD镜像文件</td></tr> <tr><td>imageinfo</td> <td>查看/识别镜像信息</td></tr> <tr><td>impscan</td> <td>扫描对导入函数的调用</td></tr> <tr><td>joblinks</td> <td>打印进程任务链接信息</td></tr> <tr><td>kdbgscan</td> <td>搜索和转储潜在KDBG值</td></tr> <tr><td>kpcrscan</td> <td>搜索和转储潜在KPCR值</td></tr> <tr><td>ldrmodules</td> <td>检测未链接的动态链接DLL</td></tr> <tr><td>lsadump</td> <td>从注册表中提取LSA密钥信息（已解密）</td></tr> <tr><td>machoinfo</td> <td>转储Mach-O 文件格式信息</td></tr> <tr><td>malfind</td> <td>查找隐藏的和插入的代码</td></tr> <tr><td>mbrparser</td> <td>扫描并解析潜在的主引导记录(MBR)</td></tr> <tr><td>memdump</td> <td>转储进程的可寻址内存</td></tr> <tr><td>memmap</td> <td>打印内存映射</td></tr> <tr><td>messagehooks</td> <td>桌面和窗口消息钩子的线程列表</td></tr> <tr><td>mftparser</td> <td>扫描并解析潜在的MFT条目</td></tr> <tr><td>moddump</td> <td>转储内核驱动程序到可执行文件的示例</td></tr> <tr><td>modscan</td> <td>内核模块池扫描</td></tr> <tr><td>modules</td> <td>打印加载模块的列表</td></tr> <tr><td>multiscan</td> <td>批量扫描各种对象</td></tr> <tr><td>mutantscan</td> <td>对互斥对象池扫描</td></tr> <tr><td>notepad</td> <td>查看记事本当前显示的文本</td></tr> <tr><td>objtypescan</td> <td>扫描窗口对象类型对象</td></tr> <tr><td>patcher</td> <td>基于页面扫描的补丁程序内存</td></tr> <tr><td>poolpeek</td> <td>可配置的池扫描器插件</td></tr> <tr><td>printkey</td> <td>打印注册表项及其子项和值</td></tr> <tr><td>privs</td> <td>显示进程权限</td></tr> <tr><td>procdump</td> <td>进程转储到一个可执行文件示例</td></tr> <tr><td>pslist</td> <td>按照EPROCESS列表打印所有正在运行的进程</td></tr> <tr><td>psscan</td> <td>进程对象池扫描</td></tr> <tr><td>pstree</td> <td>以树型方式打印进程列表</td></tr> <tr><td>psxview</td> <td>查找带有隐藏进程的所有进程列表</td></tr> <tr><td>qemuinfo</td> <td>转储Qemu 信息</td></tr> <tr><td>raw2dmp</td> <td>将物理内存原生数据转换为windbg崩溃转储格式</td></tr> <tr><td>screenshot</td> <td>基于GDI Windows的虚拟屏幕截图保存</td></tr> <tr><td>servicediff</td> <td>Windows服务列表(ala Plugx)</td></tr> <tr><td>sessions</td> <td>_MM_SESSION_SPACE的详细信息列表(用户登录会话)</td></tr> <tr><td>shellbags</td> <td>打印Shellbags信息</td></tr> <tr><td>shimcache</td> <td>解析应用程序兼容性Shim缓存注册表项</td></tr> <tr><td>shutdowntime</td> <td>从内存中的注册表信息获取机器关机时间</td></tr> <tr><td>sockets</td> <td>打印已打开套接字列表</td></tr> <tr><td>sockscan</td> <td>TCP套接字对象池扫描</td></tr> <tr><td>ssdt</td> <td>显示SSDT条目</td></tr> <tr><td>strings</td> <td>物理到虚拟地址的偏移匹配(需要一些时间，带详细信息)</td></tr> <tr><td>svcscan</td> <td>Windows服务列表扫描</td></tr> <tr><td>symlinkscan</td> <td>符号链接对象池扫描</td></tr> <tr><td>thrdscan</td> <td>线程对象池扫描</td></tr> <tr><td>threads</td> <td>调查_ETHREAD 和_KTHREADs</td></tr> <tr><td>timeliner</td> <td>创建内存中的各种痕迹信息的时间线</td></tr> <tr><td>timers</td> <td>打印内核计时器及关联模块的DPC</td></tr> <tr><td>truecryptmaster</td> <td>恢复TrueCrypt 7.1a主密钥</td></tr> <tr><td>truecryptpassphrase</td> <td>查找并提取TrueCrypt密码</td></tr> <tr><td>truecryptsummary</td> <td>TrueCrypt摘要信息</td></tr> <tr><td>unloadedmodules</td> <td>打印卸载的模块信息列表</td></tr> <tr><td>userassist</td> <td>打印注册表中UserAssist相关信息</td></tr> <tr><td>userhandles</td> <td>转储用户句柄表</td></tr> <tr><td>vaddump</td> <td>转储VAD数据为文件</td></tr> <tr><td>vadinfo</td> <td>转储VAD信息</td></tr> <tr><td>vadtree</td> <td>以树形方式显示VAD树信息</td></tr> <tr><td>vadwalk</td> <td>显示遍历VAD树</td></tr> <tr><td>vboxinfo</td> <td>转储Virtualbox信息（虚拟机）</td></tr> <tr><td>verinfo</td> <td>打印PE镜像中的版本信息</td></tr> <tr><td>vmwareinfo</td> <td>转储VMware VMSS/VMSN 信息</td></tr> <tr><td>volshell</td> <td>内存镜像中的shell</td></tr> <tr><td>windows</td> <td>打印桌面窗口(详细信息)</td></tr> <tr><td>wintree</td> <td>Z顺序打印桌面窗口树</td></tr> <tr><td>wndscan</td> <td>池扫描窗口站</td></tr> <tr><td>yarascan</td> <td>以Yara签名扫描进程或内核内存</td></tr></tbody></table> <h3 id="常用命令">常用命令 <a href="#常用命令" class="header-anchor">#</a></h3> <table><thead><tr><th><strong>功能</strong></th> <th><strong>命令行及参数</strong></th></tr></thead> <tbody><tr><td>查看进程列表</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 pslist</td></tr> <tr><td>查看进程列表（树形）</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 pstree</td></tr> <tr><td>查看进程列表(psx视图)</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 psxview</td></tr> <tr><td>查看网络通讯连接</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 netscan</td></tr> <tr><td>查看加载的动态链接库</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 dlllist</td></tr> <tr><td>查看SSDT表</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 ssdt</td></tr> <tr><td>查看UserAssist痕迹</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 userassist</td></tr> <tr><td>查看ShimCache痕迹</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 shimcache</td></tr> <tr><td>查看ShellBags</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 shellbags</td></tr> <tr><td>查看服务列表</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 svcscan</td></tr> <tr><td>查看Windows帐户hash</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 hashdump</td></tr> <tr><td>查看最后关机时间</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 shutdowntime</td></tr> <tr><td>查看IE历史记录</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 iehistory</td></tr> <tr><td>提取注册表数据</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 dumpregistry</td></tr> <tr><td>解析MFT记录</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 mftparser</td></tr> <tr><td>导出MFT记录,恢复文件</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 mftparser –output-file=mftverbose.txt -D mftoutput</td></tr> <tr><td>获取TrueCrypt密钥信息</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 truecryptmaster</td></tr> <tr><td>获取TrueCrypt密码信息</td> <td>Vol.exe -f Win7_SP1_x86.vmem –profile=Win7SP1x86 truecryptpassphras</td></tr></tbody></table> <h2 id="参考文章">参考文章 <a href="#参考文章" class="header-anchor">#</a></h2> <p><a href="http://www.secist.com/archives/2076.html" target="_blank" rel="noopener noreferrer">DumpIt.exe 进程<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.freebuf.com/articles/system/26763.html" target="_blank" rel="noopener noreferrer">Volatility基本介绍<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.cnblogs.com/sesefadou/p/11804566.html" target="_blank" rel="noopener noreferrer">基本命令<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://blog.csdn.net/Kevinhanser/article/details/80013033?utm_source=blogxgwz5" target="_blank" rel="noopener noreferrer">组合命令<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.cnblogs.com/0x4D75/p/11161822.html" target="_blank" rel="noopener noreferrer">进阶命令<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://cloud.tencent.com/developer/article/1378638" target="_blank" rel="noopener noreferrer">基础题型和基本取证<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.freebuf.com/sectool/124690.html" target="_blank" rel="noopener noreferrer">利用Volatility进行Windows内存取证分析<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.sohu.com/a/350272484_100124117" target="_blank" rel="noopener noreferrer">windows取证<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://blog.csdn.net/cqupt_chen/article/details/7771417" target="_blank" rel="noopener noreferrer">内存取证<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <h2 id="从题目学习volatility取证">从题目学习Volatility取证 <a href="#从题目学习volatility取证" class="header-anchor">#</a></h2> <h3 id="四川省高校ctf大赛-安恒杯-play-with-cookie">四川省高校CTF大赛[安恒杯] - Play with Cookie <a href="#四川省高校ctf大赛-安恒杯-play-with-cookie" class="header-anchor">#</a></h3> <p>文件描述：得到了master key file 的和靶机镜像文件，需要找到里面的flag</p> <h4 id="了解基本架构">了解基本架构 <a href="#了解基本架构" class="header-anchor">#</a></h4> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token function">sudo</span> volatility -f Cookie.raw imageinfo
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="http://peiqi.tech/ctfbisai/sichun-ctf/sichun-ctf-1.jpg" alt=""></p> <p>得到的关键信息</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>Win7SP1x86
mage date and time : 2020-02-11 12:11:51 UTC+0000
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>关键看Suggested Profile(s)项，这里是工具判断该镜像的架构，同时也会提供相应架构的命令用于分析该镜像，本题中可能性最大的架构是Win7SP1x86，然后在调用命令时加上--profile=Win7SP1x86就可以了</p> <h4 id="敏感信息获取">敏感信息获取 <a href="#敏感信息获取" class="header-anchor">#</a></h4> <p><code>获取所有使用的进程号的信息</code></p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token function">sudo</span> volatility -f Cookie.raw --profile<span class="token operator">=</span>Win7SP1x86 pslist　<span class="token operator">&gt;</span> pslist.txt　
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="http://peiqi.tech/ctfbisai/sichun-ctf/sichun-ctf-2.jpg" alt=""></p> <p><code>查看一下是否含有flag文件</code></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>volatility -f Cookie.raw --profile=Win7SP1x86 filescan | grep &quot;doc|docx|rtf&quot;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language- line-numbers-mode"><pre class="language-text"><code>volatility -f Cookie.raw --profile=Win7SP1x86 filescan | grep &quot;jpg|jpeg|png|tif|gif|bmp&quot;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language- line-numbers-mode"><pre class="language-text"><code>volatility -f Cookie.raw --profile=Win7SP1x86 filescan | grep 'flag|ctf'
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language- line-numbers-mode"><pre class="language-text"><code>volatility -f Cookie.raw --profile=Win7SP1x86 filescan | grep &quot;Desktop&quot;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-shell line-numbers-mode"><pre class="language-shell"><code>C:<span class="token punctuation">\</span>home<span class="token punctuation">\</span>kali<span class="token punctuation">\</span>桌面<span class="token operator">&gt;</span> volatility -f Cookie.raw --profile<span class="token operator">=</span>Win7SP1x86 filescan <span class="token operator">|</span> <span class="token function">grep</span> <span class="token string">&quot;Desktop&quot;</span>
Volatility Foundation Volatility Framework <span class="token number">2.6</span>
0x000000003e423038      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Cookie<span class="token punctuation">\</span>AppData<span class="token punctuation">\</span>Roaming<span class="token punctuation">\</span>Microsoft<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>Start Menu<span class="token punctuation">\</span>Programs<span class="token punctuation">\</span>Accessories<span class="token punctuation">\</span>Accessibility<span class="token punctuation">\</span>Desktop.ini
0x000000003e486038      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Cookie<span class="token punctuation">\</span>Desktop<span class="token punctuation">\</span>desktop.ini
0x000000003e4ebb08      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Public<span class="token punctuation">\</span>Desktop<span class="token punctuation">\</span>desktop.ini
0x000000003e51c3a0      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>ProgramData<span class="token punctuation">\</span>Microsoft<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>Start Menu<span class="token punctuation">\</span>Programs<span class="token punctuation">\</span>Accessories<span class="token punctuation">\</span>System Tools<span class="token punctuation">\</span>Desktop.ini
0x000000003e5789e0      <span class="token number">1</span>      <span class="token number">1</span> R--rw- <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Cookie<span class="token punctuation">\</span>Desktop
0x000000003e5f1668      <span class="token number">2</span>      <span class="token number">1</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Cookie<span class="token punctuation">\</span>Desktop
0x000000003e628400      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>root<span class="token punctuation">\</span>AppData<span class="token punctuation">\</span>Roaming<span class="token punctuation">\</span>Microsoft<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>SendTo<span class="token punctuation">\</span>Desktop.ini
0x000000003e663160      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>assembly<span class="token punctuation">\</span>Desktop.ini
0x000000003e66a228      <span class="token number">1</span>      <span class="token number">1</span> RW-rw- <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Cookie<span class="token punctuation">\</span>Desktop<span class="token punctuation">\</span>WIN-I0396FOVLRF-20200211-121148.raw
0x000000003e671d28      <span class="token number">8</span>      <span class="token number">0</span> R--r-d <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Cookie<span class="token punctuation">\</span>Desktop<span class="token punctuation">\</span>DumpIt.exe
0x000000003e69ef80      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>ProgramData<span class="token punctuation">\</span>Microsoft<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>Start Menu<span class="token punctuation">\</span>Programs<span class="token punctuation">\</span>Accessories<span class="token punctuation">\</span>Accessibility<span class="token punctuation">\</span>Desktop.ini
0x000000003e6a9d28      <span class="token number">2</span>      <span class="token number">1</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Public<span class="token punctuation">\</span>Desktop
0x000000003e6aacb8      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>ProgramData<span class="token punctuation">\</span>Microsoft<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>Start Menu<span class="token punctuation">\</span>Programs<span class="token punctuation">\</span>Accessories<span class="token punctuation">\</span>Desktop.ini
0x000000003e6ff950      <span class="token number">8</span>      <span class="token number">0</span> R--r-d <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Cookie<span class="token punctuation">\</span>Desktop<span class="token punctuation">\</span>DumpIt.exe
0x000000003e70d308      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>Media<span class="token punctuation">\</span>Desktop.ini
0x000000003e73af80      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Cookie<span class="token punctuation">\</span>AppData<span class="token punctuation">\</span>Roaming<span class="token punctuation">\</span>Microsoft<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>Start Menu<span class="token punctuation">\</span>Programs<span class="token punctuation">\</span>Maintenance<span class="token punctuation">\</span>Desktop.ini
0x000000003e90e718      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Cookie<span class="token punctuation">\</span>AppData<span class="token punctuation">\</span>Roaming<span class="token punctuation">\</span>Microsoft<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>Start Menu<span class="token punctuation">\</span>Programs<span class="token punctuation">\</span>Accessories<span class="token punctuation">\</span>System Tools<span class="token punctuation">\</span>Desktop.ini
0x000000003e919910      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Cookie<span class="token punctuation">\</span>AppData<span class="token punctuation">\</span>Roaming<span class="token punctuation">\</span>Microsoft<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>Start Menu<span class="token punctuation">\</span>Programs<span class="token punctuation">\</span>Accessories<span class="token punctuation">\</span>Desktop.ini
0x000000003e93f578      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>ProgramData<span class="token punctuation">\</span>Microsoft<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>Start Menu<span class="token punctuation">\</span>Programs<span class="token punctuation">\</span>Accessories<span class="token punctuation">\</span>Tablet PC<span class="token punctuation">\</span>Desktop.ini
0x000000003e95bc98      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>ProgramData<span class="token punctuation">\</span>Microsoft<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>Start Menu<span class="token punctuation">\</span>Programs<span class="token punctuation">\</span>Maintenance<span class="token punctuation">\</span>Desktop.ini
0x000000003eb33bc8      <span class="token number">2</span>      <span class="token number">1</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Cookie<span class="token punctuation">\</span>Desktop
0x000000003f3f55c0      <span class="token number">2</span>      <span class="token number">1</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Public<span class="token punctuation">\</span>Desktop
0x000000003f9871d8      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>root<span class="token punctuation">\</span>Desktop<span class="token punctuation">\</span>desktop.ini
0x000000003fca7630      <span class="token number">1</span>      <span class="token number">0</span> R--rwd <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume1<span class="token punctuation">\</span>Users<span class="token punctuation">\</span>Cookie<span class="token punctuation">\</span>AppData<span class="token punctuation">\</span>Roaming<span class="token punctuation">\</span>Microsoft<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>SendTo<span class="token punctuation">\</span>Desktop.ini
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br><span class="line-number">26</span><br></div></div><p>这是查看raw文件中的桌面文件，没有得到有用的信息，只得知了是Cookie用户</p> <p><code>查看一下他的电脑截图</code></p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>volatility -f Cookie.rwa --profile<span class="token operator">=</span>Win7SP1x86 screenshot --dump-dir<span class="token operator">=</span>./
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="http://peiqi.tech/ctfbisai/sichun-ctf/sichun-ctf-3.jpg" alt=""></p> <p>只得到了一个页面信息，提示正在使用的进程是DUMpit.exe</p> <p><code>看一下用户信息</code></p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>volatility -f Cookie.raw --profile<span class="token operator">=</span>Win7SP1x86 printkey -K <span class="token string">&quot;SAM\Domains\Account\Users\Names&quot;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="http://peiqi.tech/ctfbisai/sichun-ctf/sichun-ctf-4.jpg" alt=""></p> <p>只有基本的几个用户</p> <p><code>看一下他的命令行输出了什么</code></p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>volatility -f Cookie.raw --profile<span class="token operator">=</span>Win7SP1x86 cmdline
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="http://peiqi.tech/ctfbisai/sichun-ctf/sichun-ctf-5.jpg" alt=""></p> <p>可以看到一些cmd信息和进程号</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>Volatility Foundation Volatility Framework 2.6
************************************************************************
System pid:      4
************************************************************************
smss.exe pid:    272
Command line : \SystemRoot\System32\smss.exe
************************************************************************
csrss.exe pid:    360
Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
************************************************************************
wininit.exe pid:    412
Command line : wininit.exe
************************************************************************
csrss.exe pid:    420
Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
************************************************************************
winlogon.exe pid:    480
Command line : winlogon.exe
************************************************************************
services.exe pid:    520
Command line : C:\Windows\system32\services.exe
************************************************************************
lsass.exe pid:    528
Command line : C:\Windows\system32\lsass.exe
************************************************************************
lsm.exe pid:    536
Command line : C:\Windows\system32\lsm.exe
************************************************************************
svchost.exe pid:    636
Command line : C:\Windows\system32\svchost.exe -k DcomLaunch
************************************************************************
svchost.exe pid:    716
Command line : C:\Windows\system32\svchost.exe -k RPCSS
************************************************************************
svchost.exe pid:    808
Command line : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
************************************************************************
svchost.exe pid:    844
Command line : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
************************************************************************
svchost.exe pid:    876
Command line : C:\Windows\system32\svchost.exe -k netsvcs
************************************************************************
audiodg.exe pid:    956
Command line : C:\Windows\system32\AUDIODG.EXE 0x2e8
************************************************************************
svchost.exe pid:   1036
Command line : C:\Windows\system32\svchost.exe -k LocalService
************************************************************************
svchost.exe pid:   1132
Command line : C:\Windows\system32\svchost.exe -k NetworkService
************************************************************************
spoolsv.exe pid:   1280
Command line : C:\Windows\System32\spoolsv.exe
************************************************************************
svchost.exe pid:   1376
Command line : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
************************************************************************
VGAuthService. pid:   1560
Command line : &quot;C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe&quot;
************************************************************************
vmtoolsd.exe pid:   1584
Command line : &quot;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe&quot;
************************************************************************
svchost.exe pid:   1824
Command line : C:\Windows\system32\svchost.exe -k bthsvcs
************************************************************************
dllhost.exe pid:    128
Command line : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
************************************************************************
msdtc.exe pid:    596
Command line : C:\Windows\System32\msdtc.exe
************************************************************************
WmiPrvSE.exe pid:    920
Command line : C:\Windows\system32\wbem\wmiprvse.exe
************************************************************************
taskhost.exe pid:   2096
Command line : &quot;taskhost.exe&quot;
************************************************************************
dwm.exe pid:   2188
Command line : &quot;C:\Windows\system32\Dwm.exe&quot;
************************************************************************
explorer.exe pid:   2216
Command line : C:\Windows\Explorer.EXE
************************************************************************
vm3dservice.ex pid:   2404
Command line : &quot;C:\Windows\System32\vm3dservice.exe&quot; -u
************************************************************************
vmtoolsd.exe pid:   2412
Command line : &quot;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe&quot; -n vmusr
************************************************************************
SearchIndexer. pid:   2584
Command line : C:\Windows\system32\SearchIndexer.exe /Embedding
************************************************************************
WmiPrvSE.exe pid:   2764
Command line : C:\Windows\system32\wbem\wmiprvse.exe
************************************************************************
svchost.exe pid:   3224
Command line : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
************************************************************************
sppsvc.exe pid:   3272
Command line : C:\Windows\system32\sppsvc.exe
************************************************************************
svchost.exe pid:   3344
Command line : C:\Windows\System32\svchost.exe -k secsvcs
************************************************************************
taskhost.exe pid:   2924
Command line : taskhost.exe $(Arg0)
************************************************************************
SearchProtocol pid:   3520
Command line : &quot;C:\Windows\system32\SearchProtocolHost.exe&quot; Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 &quot;Software\Microsoft\Windows Search&quot; &quot;Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)&quot; &quot;C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc&quot; &quot;DownLevelDaemon&quot; 
************************************************************************
SearchFilterHo pid:   2692
Command line : &quot;C:\Windows\system32\SearchFilterHost.exe&quot; 0 532 536 544 65536 540 
************************************************************************
DumpIt.exe pid:   3632
Command line : &quot;C:\Users\Cookie\Desktop\DumpIt.exe&quot; 
************************************************************************
conhost.exe pid:   1684
Command line : \??\C:\Windows\system32\conhost.exe
************************************************************************
dllhost.exe pid:   3552
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br><span class="line-number">26</span><br><span class="line-number">27</span><br><span class="line-number">28</span><br><span class="line-number">29</span><br><span class="line-number">30</span><br><span class="line-number">31</span><br><span class="line-number">32</span><br><span class="line-number">33</span><br><span class="line-number">34</span><br><span class="line-number">35</span><br><span class="line-number">36</span><br><span class="line-number">37</span><br><span class="line-number">38</span><br><span class="line-number">39</span><br><span class="line-number">40</span><br><span class="line-number">41</span><br><span class="line-number">42</span><br><span class="line-number">43</span><br><span class="line-number">44</span><br><span class="line-number">45</span><br><span class="line-number">46</span><br><span class="line-number">47</span><br><span class="line-number">48</span><br><span class="line-number">49</span><br><span class="line-number">50</span><br><span class="line-number">51</span><br><span class="line-number">52</span><br><span class="line-number">53</span><br><span class="line-number">54</span><br><span class="line-number">55</span><br><span class="line-number">56</span><br><span class="line-number">57</span><br><span class="line-number">58</span><br><span class="line-number">59</span><br><span class="line-number">60</span><br><span class="line-number">61</span><br><span class="line-number">62</span><br><span class="line-number">63</span><br><span class="line-number">64</span><br><span class="line-number">65</span><br><span class="line-number">66</span><br><span class="line-number">67</span><br><span class="line-number">68</span><br><span class="line-number">69</span><br><span class="line-number">70</span><br><span class="line-number">71</span><br><span class="line-number">72</span><br><span class="line-number">73</span><br><span class="line-number">74</span><br><span class="line-number">75</span><br><span class="line-number">76</span><br><span class="line-number">77</span><br><span class="line-number">78</span><br><span class="line-number">79</span><br><span class="line-number">80</span><br><span class="line-number">81</span><br><span class="line-number">82</span><br><span class="line-number">83</span><br><span class="line-number">84</span><br><span class="line-number">85</span><br><span class="line-number">86</span><br><span class="line-number">87</span><br><span class="line-number">88</span><br><span class="line-number">89</span><br><span class="line-number">90</span><br><span class="line-number">91</span><br><span class="line-number">92</span><br><span class="line-number">93</span><br><span class="line-number">94</span><br><span class="line-number">95</span><br><span class="line-number">96</span><br><span class="line-number">97</span><br><span class="line-number">98</span><br><span class="line-number">99</span><br><span class="line-number">100</span><br><span class="line-number">101</span><br><span class="line-number">102</span><br><span class="line-number">103</span><br><span class="line-number">104</span><br><span class="line-number">105</span><br><span class="line-number">106</span><br><span class="line-number">107</span><br><span class="line-number">108</span><br><span class="line-number">109</span><br><span class="line-number">110</span><br><span class="line-number">111</span><br><span class="line-number">112</span><br><span class="line-number">113</span><br><span class="line-number">114</span><br><span class="line-number">115</span><br><span class="line-number">116</span><br><span class="line-number">117</span><br><span class="line-number">118</span><br><span class="line-number">119</span><br><span class="line-number">120</span><br><span class="line-number">121</span><br><span class="line-number">122</span><br></div></div><p>也没有得到关键的信息</p> <p><code>看一下连接过的网络</code></p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>volatility -f Cookie.raw --profile<span class="token operator">=</span>Win7SP1x86 netscan
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="http://peiqi.tech/ctfbisai/sichun-ctf/sichun-ctf-7.jpg" alt=""></p> <p>看到在3分钟之后是未知的，回到进程查看一下他干了什么</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token function">sudo</span> volatility -f Cookie.raw --profile<span class="token operator">=</span>Win7SP1x86 pslist
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="http://peiqi.tech/ctfbisai/sichun-ctf/sichun-ctf-8.jpg" alt=""></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>0x87da3d40 sppsvc.exe             3272    520      4      159      0      0 2020-02-11 12:03:00 UTC+0000                                 
0x87cdbd40 svchost.exe            3344    520      9      310      0      0 2020-02-11 12:03:00 UTC+0000                                 
0x87d65030 taskhost.exe           2924    520      8      181      0      0 2020-02-11 12:09:55 UTC+0000                                 
0x87f2a550 SearchProtocol         3520   2584      7      320      0      0 2020-02-11 12:10:35 UTC+0000           
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>这一段3~9分钟之间发生了一些事情让出题人等待了一下，上网查一下这些进程的含义以及使用的用途</p> <p><img src="http://peiqi.tech/ctfbisai/sichun-ctf/sichun-ctf-9.jpg" alt=""></p> <p>把这个位置的进程dump出来加以分析一下</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>volatility -f Cookie.raw --profile=Win7SP1x86 memdump -p 2924 --dump-dir=./
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language- line-numbers-mode"><pre class="language-text"><code>C:\home\kali\桌面&gt; volatility -f Cookie.raw --profile=Win7SP1x86 memdump -p 2924 --dump-dir=./
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing taskhost.exe [  2924] to 2924.dmp

</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>得到一个2924.dmp文件</p> <p><code>关键字文件查找</code></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>strings 2924.dmp | grep flag{ ;strings 2924.dmp | grep DASCTF{ ;strings 2924.dmp | grep ctf{
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language- line-numbers-mode"><pre class="language-text"><code>C:\home\kali\桌面&gt; strings 2924.dmp | grep flag{ ;strings 2924.dmp | grep DASCTF{ ;strings 2924.dmp | grep ctf{
$value = &quot;flag{528c8870778d2336fdf512652b74a8aa}&quot;;

</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>得到flag</p> <p>看一下文件里面是什么</p> <p><img src="http://peiqi.tech/ctfbisai/sichun-ctf/sichun-ctf-10.jpg" alt=""></p> <h3 id="v-n2020-公开赛-内存取证">[V&amp;N2020 公开赛]内存取证 <a href="#v-n2020-公开赛-内存取证" class="header-anchor">#</a></h3> <h4 id="查看基本文件架构">查看基本文件架构 <a href="#查看基本文件架构" class="header-anchor">#</a></h4> <p><img src="http://peiqi.tech/buuctf/misc/buuctf-misc-51-1.png" alt=""></p> <h4 id="获取有利信息">获取有利信息 <a href="#获取有利信息" class="header-anchor">#</a></h4> <p>扫描 记事本文件</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>kali@kali:~/桌面$ volatility -f mem.raw --profile<span class="token operator">=</span>Win7SP0x86 filescan <span class="token operator">|</span> <span class="token function">grep</span> not                                                                                                                                                           
Volatility Foundation Volatility Framework <span class="token number">2.6</span>                                                                                                                                                                                             
0x000000001de89cb8      <span class="token number">6</span>      <span class="token number">0</span> R--r-d <span class="token punctuation">\</span>Device<span class="token punctuation">\</span>HarddiskVolume2<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>System32<span class="token punctuation">\</span>notepad.exe

</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>dump进程查看文件，发现文件可能被删除</p> <p><img src="http://peiqi.tech/buuctf/misc/buuctf-misc-51-2.png" alt=""></p> <h4 id="删除数据恢复">删除数据恢复 <a href="#删除数据恢复" class="header-anchor">#</a></h4> <p>使用命令恢复数据</p> <p><img src="http://peiqi.tech/buuctf/misc/buuctf-misc-51-3.png" alt=""></p> <p>得到百度网盘链接和提取码，下载下来一个加密文件</p> <p>寻找加密进程</p> <p><img src="http://peiqi.tech/buuctf/misc/buuctf-misc-51-4.png" alt=""></p> <p>dump进程下来 使用EFDD解密vol文件</p> <p><code>得到密码:uOjFdKu1jsbWI8N51jsbWI8N5</code></p> <p>再使用得到的密码TrueCrypt挂载上去解密</p> <p><img src="http://peiqi.tech/buuctf/misc/buuctf-misc-51-6.png" alt=""></p> <p>得到一个加密的flag压缩包</p> <h4 id="gimp还原">GIMP还原 <a href="#gimp还原" class="header-anchor">#</a></h4> <p>把 mspaint.exe (pid 2648) dump下来，使用GIMP还原</p> <p><img src="http://peiqi.tech/buuctf/misc/buuctf-misc-51-5.png" alt=""></p> <p><code>得到密码 :1YxfCQ6goYBD6Q</code></p> <p>打开加密zip文件得到flag</p> <p><code>RoarCTF{wm_D0uB1e_TC-cRypt}</code></p></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/ctf/RSA.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        RSA
      </a></span> <span class="next"><a href="/knowledge/ctf/ret2text.html">
        ret2text
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/34.5a911179.js" defer></script>
  </body>
</html>